Privacy Snafu Exposes UK Holidaymakers’ Data for Three Years

The personal details of over 200,000 customers of a British holiday firm were left exposed in audio files for several years, according to a new report.

Truly Travels, which trades under the name Teletext Holidays, is unusual in that consumers browse its website for package deals before completing their order over the phone.

However, this is where the problems arose, after 212,000 audio files of these calls were found on an unsecured Amazon Web Services server by Verdict.

They took place between April 10 and August 10, 2016 and appear to have been made by British holidaymakers making and amending bookings.

As such, names, dates of birth, email and home addresses, flight times and other holiday details could clearly be heard, although only partial card details were revealed.

The audio files were apparently recorded as part of a call center analysis project. Although the travel company removed all 532,000 files, including the audio, when notified, they appear to have been exposed for over three years.

“We are in the process of reporting the matter to the ICO, and we will fully comply with our wider legal obligations,” a spokesperson told the website.

“The company is taking all appropriate steps to ensure that this situation does not occur in the future.”

Although the format of the files would make it slightly more labor-intensive for a cyber-criminal to extract the personally identifiable information (PII) of holidaymakers and their family members, it is still a major security risk.

“Data breaches involving PII provide cyber-criminals with a treasure trove of information that could be used to carry out identity fraud, phishing or targeted email attacks,” argued Robert Ramsden-Board, VP EMEA at Securonix.

“The lack of cyber-hygiene demonstrated here tells us a lot about current cybersecurity culture and organizations need to make sure that any sensitive data is stored on secure servers.”

Malcolm Taylor, director of cyber advisory at ITC Secure, described the exposed data as “an intelligence feed for hackers” which could lead to “more and worse” attacks on the affected customers.